View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.syncope.common.lib.auth;
20  
21  import java.io.Serializable;
22  import java.util.ArrayList;
23  import java.util.List;
24  import java.util.Map;
25  import java.util.concurrent.TimeUnit;
26  import org.apache.syncope.common.lib.AbstractLDAPConf;
27  import org.apache.syncope.common.lib.to.AuthModuleTO;
28  import org.apache.syncope.common.lib.types.X509PolicySetting;
29  import org.apache.syncope.common.lib.types.X509PrincipalType;
30  import org.apache.syncope.common.lib.types.X509RevocationCheckerType;
31  import org.apache.syncope.common.lib.types.X509RevocationFetcherType;
32  import org.apache.syncope.common.lib.types.X509SubjectDnFormat;
33  
34  public class X509AuthModuleConf implements LDAPDependantAuthModuleConf {
35  
36      private static final long serialVersionUID = 1915254775199296906L;
37  
38      public static class LDAP extends AbstractLDAPConf implements Serializable {
39  
40          private static final long serialVersionUID = -7274446267090678730L;
41  
42          /**
43           * The LDAP attribute that holds the certificate revocation list.
44           */
45          private String certificateAttribute = "certificateRevocationList";
46  
47          public String getCertificateAttribute() {
48              return certificateAttribute;
49          }
50  
51          public void setCertificateAttribute(final String certificateAttribute) {
52              this.certificateAttribute = certificateAttribute;
53          }
54      }
55  
56      /**
57       * The authentication handler name.
58       */
59      private String name;
60  
61      /**
62       * The order of the authentication handler in the chain.
63       */
64      private int order = Integer.MAX_VALUE;
65  
66      /**
67       * Threshold value if expired CRL revocation policy is to be handled via threshold.
68       */
69      private int revocationPolicyThreshold = 172_800;
70  
71      /**
72       * Whether revocation checking should check all resources, or stop at first one.
73       */
74      private boolean checkAll;
75  
76      /**
77       * The refresh interval of the internal scheduler in cases where CRL revocation checking
78       * is done via resources.
79       */
80      private int refreshIntervalSeconds = 3_600;
81  
82      /**
83       * When CRL revocation checking is done via distribution points,
84       * decide if fetch failures should throw errors.
85       */
86      private boolean throwOnFetchFailure;
87  
88      private X509PrincipalType principalType = X509PrincipalType.SUBJECT_DN;
89  
90      /**
91       * Relevant for {@code CN_EDIPI}, {@code RFC822_EMAIL}, {@code SUBJECT}, {@code SUBJECT_ALT_NAME} principal types.
92       */
93      private String principalAlternateAttribute;
94  
95      /**
96       * Relevant for {@code SUBJECT_DN} principal type.
97       */
98      private X509SubjectDnFormat principalTypeSubjectDnFormat = X509SubjectDnFormat.DEFAULT;
99  
100     /**
101      * Relevant for {@code SERIAL_NO_DN} principal type.
102      * The serial number prefix used for principal resolution.
103      */
104     private String principalTypeSerialNoDnSerialNumberPrefix = "SERIALNUMBER=";
105 
106     /**
107      * Relevant for {@code SERIAL_NO_DN} principal type.
108      * Value delimiter used for principal resolution.
109      */
110     private String principalTypeSerialNoDnValueDelimiter = ", ";
111 
112     /**
113      * Relevant for {@code SERIAL_NO} principal type.
114      * Radix used.
115      */
116     private int principalTypeSerialNoSNRadix;
117 
118     /**
119      * Relevant for {@code SERIAL_NO} principal type.
120      * If radix hex padding should be used.
121      */
122     private boolean principalTypeSerialNoHexSNZeroPadding;
123 
124     /**
125      * Revocation certificate checking is carried out according to this setting.
126      */
127     private X509RevocationCheckerType revocationChecker = X509RevocationCheckerType.NONE;
128 
129     /**
130      * Options to describe how to fetch CRL resources.
131      */
132     private X509RevocationFetcherType crlFetcher = X509RevocationFetcherType.RESOURCE;
133 
134     /**
135      * List of CRL resources to use for fetching.
136      */
137     private final List<String> crlResources = new ArrayList<>(0);
138 
139     /**
140      * When CRLs are cached, indicate maximum number of elements kept in memory.
141      */
142     private int cacheMaxElementsInMemory = 1_000;
143 
144     /**
145      * When CRLs are cached, indicate whether cache should overflow to disk.
146      */
147     private boolean cacheDiskOverflow;
148 
149     /**
150      * Size of cache on disk.
151      */
152     private String cacheDiskSize = "100MB";
153 
154     /**
155      * When CRLs are cached, indicate if cache items should be eternal.
156      */
157     private boolean cacheEternal;
158 
159     /**
160      * Determine whether X509 authentication should allow other forms of authentication such as username/password.
161      * If this setting is turned off, typically the ability to view the login form as the primary form of
162      * authentication is turned off.
163      */
164     private boolean mixedMode = true;
165 
166     /**
167      * When CRLs are cached, indicate the time-to-live of cache items.
168      */
169     private long cacheTimeToLiveSeconds = TimeUnit.HOURS.toSeconds(4);
170 
171     /**
172      * If the CRL resource is unavailable, activate the this policy.
173      */
174     private X509PolicySetting crlResourceUnavailablePolicy = X509PolicySetting.DENY;
175 
176     /**
177      * If the CRL resource has expired, activate the this policy.
178      * Activated if {@link #revocationChecker} is {@code RESOURCE}.
179      */
180     private X509PolicySetting crlResourceExpiredPolicy = X509PolicySetting.DENY;
181 
182     /**
183      * If the CRL is unavailable, activate the this policy.
184      * Activated if {@link #revocationChecker} is {@code CRL}.
185      */
186     private X509PolicySetting crlUnavailablePolicy = X509PolicySetting.DENY;
187 
188     /**
189      * If the CRL has expired, activate the this policy.
190      * Activated if {@link #revocationChecker} is {@code CRL}.
191      */
192     private X509PolicySetting crlExpiredPolicy = X509PolicySetting.DENY;
193 
194     /**
195      * The compiled pattern supplied by the deployer.
196      */
197     private String regExTrustedIssuerDnPattern;
198 
199     /**
200      * Deployer supplied setting for maximum pathLength in a SUPPLIED
201      * certificate.
202      */
203     private int maxPathLength = 1;
204 
205     /**
206      * Deployer supplied setting to allow unlimited pathLength in a SUPPLIED
207      * certificate.
208      */
209     private boolean maxPathLengthAllowUnspecified = false;
210 
211     /**
212      * Deployer supplied setting to check the KeyUsage extension.
213      */
214     private boolean checkKeyUsage = false;
215 
216     /**
217      * Deployer supplied setting to force require the correct KeyUsage
218      * extension.
219      */
220     private boolean requireKeyUsage = false;
221 
222     /**
223      * The pattern that authorizes an acceptable certificate by its subject dn.
224      */
225     private String regExSubjectDnPattern = ".+";
226 
227     /**
228      * Whether to extract certificate from request.
229      * The default implementation extracts certificate from header via Tomcat SSLValve parsing logic
230      * and using the {@link #sslHeaderName} header.
231      * Must be false by default because if someone enables it they need to make sure they are
232      * behind proxy that won't let the header arrive directly from the browser.
233      */
234     private boolean extractCert;
235 
236     /**
237      * The name of the header to consult for an X509 cert (e.g. when behind proxy).
238      */
239     private String sslHeaderName = "ssl_client_cert";
240 
241     private LDAP ldap;
242 
243     @Override
244     public AbstractLDAPConf ldapInstance() {
245         return new X509AuthModuleConf.LDAP();
246     }
247 
248     public String getName() {
249         return name;
250     }
251 
252     public void setName(final String name) {
253         this.name = name;
254     }
255 
256     public int getOrder() {
257         return order;
258     }
259 
260     public void setOrder(final int order) {
261         this.order = order;
262     }
263 
264     public int getRevocationPolicyThreshold() {
265         return revocationPolicyThreshold;
266     }
267 
268     public void setRevocationPolicyThreshold(final int revocationPolicyThreshold) {
269         this.revocationPolicyThreshold = revocationPolicyThreshold;
270     }
271 
272     public boolean isCheckAll() {
273         return checkAll;
274     }
275 
276     public void setCheckAll(final boolean checkAll) {
277         this.checkAll = checkAll;
278     }
279 
280     public int getRefreshIntervalSeconds() {
281         return refreshIntervalSeconds;
282     }
283 
284     public void setRefreshIntervalSeconds(final int refreshIntervalSeconds) {
285         this.refreshIntervalSeconds = refreshIntervalSeconds;
286     }
287 
288     public boolean isThrowOnFetchFailure() {
289         return throwOnFetchFailure;
290     }
291 
292     public void setThrowOnFetchFailure(final boolean throwOnFetchFailure) {
293         this.throwOnFetchFailure = throwOnFetchFailure;
294     }
295 
296     public X509PrincipalType getPrincipalType() {
297         return principalType;
298     }
299 
300     public void setPrincipalType(final X509PrincipalType principalType) {
301         this.principalType = principalType;
302     }
303 
304     public String getPrincipalAlternateAttribute() {
305         return principalAlternateAttribute;
306     }
307 
308     public void setPrincipalAlternateAttribute(final String principalAlternateAttribute) {
309         this.principalAlternateAttribute = principalAlternateAttribute;
310     }
311 
312     public X509SubjectDnFormat getPrincipalTypeSubjectDnFormat() {
313         return principalTypeSubjectDnFormat;
314     }
315 
316     public void setPrincipalTypeSubjectDnFormat(final X509SubjectDnFormat principalTypeSubjectDnFormat) {
317         this.principalTypeSubjectDnFormat = principalTypeSubjectDnFormat;
318     }
319 
320     public String getPrincipalTypeSerialNoDnSerialNumberPrefix() {
321         return principalTypeSerialNoDnSerialNumberPrefix;
322     }
323 
324     public void setPrincipalTypeSerialNoDnSerialNumberPrefix(final String principalTypeSerialNoDnSerialNumberPrefix) {
325         this.principalTypeSerialNoDnSerialNumberPrefix = principalTypeSerialNoDnSerialNumberPrefix;
326     }
327 
328     public String getPrincipalTypeSerialNoDnValueDelimiter() {
329         return principalTypeSerialNoDnValueDelimiter;
330     }
331 
332     public void setPrincipalTypeSerialNoDnValueDelimiter(final String principalTypeSerialNoDnValueDelimiter) {
333         this.principalTypeSerialNoDnValueDelimiter = principalTypeSerialNoDnValueDelimiter;
334     }
335 
336     public int getPrincipalTypeSerialNoSNRadix() {
337         return principalTypeSerialNoSNRadix;
338     }
339 
340     public void setPrincipalTypeSerialNoSNRadix(final int principalTypeSerialNoSNRadix) {
341         this.principalTypeSerialNoSNRadix = principalTypeSerialNoSNRadix;
342     }
343 
344     public boolean isPrincipalTypeSerialNoHexSNZeroPadding() {
345         return principalTypeSerialNoHexSNZeroPadding;
346     }
347 
348     public void setPrincipalTypeSerialNoHexSNZeroPadding(final boolean principalTypeSerialNoHexSNZeroPadding) {
349         this.principalTypeSerialNoHexSNZeroPadding = principalTypeSerialNoHexSNZeroPadding;
350     }
351 
352     public X509RevocationCheckerType getRevocationChecker() {
353         return revocationChecker;
354     }
355 
356     public void setRevocationChecker(final X509RevocationCheckerType revocationChecker) {
357         this.revocationChecker = revocationChecker;
358     }
359 
360     public X509RevocationFetcherType getCrlFetcher() {
361         return crlFetcher;
362     }
363 
364     public void setCrlFetcher(final X509RevocationFetcherType crlFetcher) {
365         this.crlFetcher = crlFetcher;
366     }
367 
368     public int getCacheMaxElementsInMemory() {
369         return cacheMaxElementsInMemory;
370     }
371 
372     public void setCacheMaxElementsInMemory(final int cacheMaxElementsInMemory) {
373         this.cacheMaxElementsInMemory = cacheMaxElementsInMemory;
374     }
375 
376     public boolean isCacheDiskOverflow() {
377         return cacheDiskOverflow;
378     }
379 
380     public void setCacheDiskOverflow(final boolean cacheDiskOverflow) {
381         this.cacheDiskOverflow = cacheDiskOverflow;
382     }
383 
384     public String getCacheDiskSize() {
385         return cacheDiskSize;
386     }
387 
388     public void setCacheDiskSize(final String cacheDiskSize) {
389         this.cacheDiskSize = cacheDiskSize;
390     }
391 
392     public boolean isCacheEternal() {
393         return cacheEternal;
394     }
395 
396     public void setCacheEternal(final boolean cacheEternal) {
397         this.cacheEternal = cacheEternal;
398     }
399 
400     public boolean isMixedMode() {
401         return mixedMode;
402     }
403 
404     public void setMixedMode(final boolean mixedMode) {
405         this.mixedMode = mixedMode;
406     }
407 
408     public long getCacheTimeToLiveSeconds() {
409         return cacheTimeToLiveSeconds;
410     }
411 
412     public void setCacheTimeToLiveSeconds(final long cacheTimeToLiveSeconds) {
413         this.cacheTimeToLiveSeconds = cacheTimeToLiveSeconds;
414     }
415 
416     public X509PolicySetting getCrlResourceUnavailablePolicy() {
417         return crlResourceUnavailablePolicy;
418     }
419 
420     public void setCrlResourceUnavailablePolicy(final X509PolicySetting crlResourceUnavailablePolicy) {
421         this.crlResourceUnavailablePolicy = crlResourceUnavailablePolicy;
422     }
423 
424     public X509PolicySetting getCrlResourceExpiredPolicy() {
425         return crlResourceExpiredPolicy;
426     }
427 
428     public void setCrlResourceExpiredPolicy(final X509PolicySetting crlResourceExpiredPolicy) {
429         this.crlResourceExpiredPolicy = crlResourceExpiredPolicy;
430     }
431 
432     public X509PolicySetting getCrlUnavailablePolicy() {
433         return crlUnavailablePolicy;
434     }
435 
436     public void setCrlUnavailablePolicy(final X509PolicySetting crlUnavailablePolicy) {
437         this.crlUnavailablePolicy = crlUnavailablePolicy;
438     }
439 
440     public X509PolicySetting getCrlExpiredPolicy() {
441         return crlExpiredPolicy;
442     }
443 
444     public void setCrlExpiredPolicy(final X509PolicySetting crlExpiredPolicy) {
445         this.crlExpiredPolicy = crlExpiredPolicy;
446     }
447 
448     public List<String> getCrlResources() {
449         return crlResources;
450     }
451 
452     public String getRegExTrustedIssuerDnPattern() {
453         return regExTrustedIssuerDnPattern;
454     }
455 
456     public void setRegExTrustedIssuerDnPattern(final String regExTrustedIssuerDnPattern) {
457         this.regExTrustedIssuerDnPattern = regExTrustedIssuerDnPattern;
458     }
459 
460     public int getMaxPathLength() {
461         return maxPathLength;
462     }
463 
464     public void setMaxPathLength(final int maxPathLength) {
465         this.maxPathLength = maxPathLength;
466     }
467 
468     public boolean isMaxPathLengthAllowUnspecified() {
469         return maxPathLengthAllowUnspecified;
470     }
471 
472     public void setMaxPathLengthAllowUnspecified(final boolean maxPathLengthAllowUnspecified) {
473         this.maxPathLengthAllowUnspecified = maxPathLengthAllowUnspecified;
474     }
475 
476     public boolean isCheckKeyUsage() {
477         return checkKeyUsage;
478     }
479 
480     public void setCheckKeyUsage(final boolean checkKeyUsage) {
481         this.checkKeyUsage = checkKeyUsage;
482     }
483 
484     public boolean isRequireKeyUsage() {
485         return requireKeyUsage;
486     }
487 
488     public void setRequireKeyUsage(final boolean requireKeyUsage) {
489         this.requireKeyUsage = requireKeyUsage;
490     }
491 
492     public String getRegExSubjectDnPattern() {
493         return regExSubjectDnPattern;
494     }
495 
496     public void setRegExSubjectDnPattern(final String regExSubjectDnPattern) {
497         this.regExSubjectDnPattern = regExSubjectDnPattern;
498     }
499 
500     public boolean isExtractCert() {
501         return extractCert;
502     }
503 
504     public void setExtractCert(final boolean extractCert) {
505         this.extractCert = extractCert;
506     }
507 
508     public String getSslHeaderName() {
509         return sslHeaderName;
510     }
511 
512     public void setSslHeaderName(final String sslHeaderName) {
513         this.sslHeaderName = sslHeaderName;
514     }
515 
516     public LDAP getLdap() {
517         return ldap;
518     }
519 
520     public void setLdap(final LDAP ldap) {
521         this.ldap = ldap;
522     }
523 
524     @Override
525     public Map<String, Object> map(final AuthModuleTO authModule, final Mapper mapper) {
526         return mapper.map(authModule, this);
527     }
528 }